Bug 1258614
Summary: | Puppet fails to find heat domain ID | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Mike Burns <mburns> | |
Component: | openstack-puppet-modules | Assignee: | Martin Magr <mmagr> | |
Status: | CLOSED ERRATA | QA Contact: | Marius Cornea <mcornea> | |
Severity: | high | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.0 (Kilo) | CC: | calfonso, christopher_dearborn, derekh, dsavinea, gtrellu, ichavero, jslagle, jstransk, jtaleric, mburns, mcornea, mmagr, ohochman, rhel-osp-director-maint, rybrown, sclewis, shivrao, sjeuk, whayutin, yeylon | |
Target Milestone: | z3 | Keywords: | Triaged, ZStream | |
Target Release: | 7.0 (Kilo) | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | openstack-puppet-modules-2015.1.8-28.el7ost | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 1252585 | |||
: | 1280379 (view as bug list) | Environment: | ||
Last Closed: | 2015-12-21 17:09:42 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1252585, 1261979, 1280379 |
Description
Mike Burns
2015-08-31 18:42:43 UTC
hrm.. this looks like it's failing. https://bugzilla.redhat.com/show_bug.cgi?id=1273857 *** Bug 1273857 has been marked as a duplicate of this bug. *** The backport had to be reverted from OPM because it brought the CI down, and while adapting instack-undercloud and t-h-t we found that the backport introduced a different bug. The fix for the bug is submitted here: https://review.openstack.org/#/c/239680/ And adaptation of instack-undercloud here: https://review.openstack.org/#/c/239707/ And upstream re-submission of overcloud keystone heat domain here (this part had to be reverted upstream too because of intermittent issues, which would hopefully be solved by the first linked patch): https://review.openstack.org/#/c/180566/ Given that we've historically hit intermittent issues in this area, it would be good to get all these patches merged in upstream first to make sure they're stable enough for backporting into product. I think i found an alternative solution which might be less obtrusive (backporting just one patch instead of three). The problem is with the heat_domain_id_setter resource: Error: /Stage[main]/Heat::Keystone::Domain/Heat_domain_id_setter[heat_domain_id]/ensure: change from absent to present failed: Received error response from Keystone server at http://172.17.0.10:35357/v3/domains: Unauthorized\u001b However, newer versions of Heat, including stable/kilo it seems [1], can use heat domain name instead of the ID, so the heat_domain_id_setter might not be necessary at all. The ID setting has been removed from the puppet-heat module some time ago already in favor of the name setting [2]. So perhaps backporting this single patch [2] could solve the issue for us. Martin does that sound correct? The deployments made with older OSP-d which previously set the ID should just ignore the new name setting. "(StrOpt) Keystone domain ID which contains heat template-defined users. If this option is set, stack_user_domain_name option will be ignored." [3] [1] https://github.com/openstack/heat/blob/534e3e9d076f763f836510856cb890571bfb79c0/heat/common/heat_keystoneclient.py#L100-L102 [2] https://github.com/openstack/puppet-heat/commit/b7d19f43bd729e505d12979350082bf0c26b5b40 [3] http://docs.openstack.org/kilo/config-reference/content/orchestration-configuring-api.html Just to clarify why i'm thinking this could be a solution -- the ID has to be queried from Keystone, requiring authentication credentials (and having the potential to fail with the Unauthorized error). On the other hand, the name is directly fed into the puppet class and passed into the Heat config file, not doing any Keystone lookups. You're probably right. Resource heat_domain_id_setter was not able to get authorized because it was fetching admin user too soon (in certain corner cases during HA deployment) after user creation. So avoiding that behaviour should get rid of the problem. Nevertheless we should get rid of domain creation via Python script and instead backport all the patches in future. I applied the patch locally and overcloud deployed fine, with "stack_user_domain_name = heat_stack" present in heat.conf. I think we can backport the patch. This was reverted due to issues caused in director. newer patch from comment 11 is in latest builds, so moving back to ON_QA *** Bug 1278925 has been marked as a duplicate of this bug. *** Verified the patch in c#11 in openstack-puppet-modules-2015.1.8-30.el7ost.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2015:2677 |